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Abstract 

It is generally believed that unconditionally secure quantum bit commitment is impossible, due to 
widespread acceptance of an impossibility proof that utilizes quantum entaglement cheating. In 
this paper, we delineate how the impossibiliy proof formulation misses various types of quantum 
bit commitment protocols based on two-way quantum communications. We point out some of 
the gaps in the impossibility proof reasoning, and present corresponding counterexamples. Four 
different types of bit commitment protocols are constructed with several new protocol techniques. 
A specific Type 4 protocol is described and proved unconditionally secure. Security analysis of a 
Type 1 protocol and a Type 2 protocol are also sketched. The security of Type 3 protocols is as 
yet open. A development of quantum statistical decision theory and quantum games is needed to 
provie a complete security analysis of many such protocols. 



*E-mail: yuenOece . northwestern . edu 

TNote: this paper analyzes in detail, for the first time, the various gaps in the QBC impossibility proof, 
many of which I indicated before but few of which seem to be understood. There is clearly a need to focus 
on these gaps, which is an issue logically distinct from whether any protocol can be proved unconditionally 
secure. One of the original three protocols I described in the QCM at Capri, July 2000, protocol Y3 that 
appeared as QBC1 in v2 of this paper, was pointed out to be insecure in the QCM at MIT, July 2002. 
It is extended, with the same underlying idea, and renamed QBC4 in this v3 with a full security proof. A 
considerable amount of new material is also added, including a protocol based on cheating detection alone 
and clarifications on unknown parameters and entanglement purification. It is also stressed that a priori 
there can be no impossibility proof without a QBC definition. 
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1 Introduction 



There is a nearly universal acceptance of the general impossibility of secure quantum bit 
commitment (QBC), taken to be a consequence of the Einstein- Podolsky- Rosen (EPR) type 
entanglement cheating which supposedly rules out QBC and other quantum protocols that 
have been proposed for various cryptographic objectives 0. In a bit commitment scheme, 
one party, Adam, provides another party, Babe, with a piece of evidence that he has chosen 
a bit b (0 or 1) which is committed to her. Later, Adam would open the commitment by 
revealing the bit b to Babe and convincing her that it is indeed the committed bit with the 
evidence in her possession, which she can verify. The usual concrete example is for Adam to 
write down the bit on a piece of paper, which is then locked in a safe to be given to Babe, 
while keeping for himself the safe key that can be presented later to open the commitment. 
The evidence should be binding, i.e., Adam should not be able to change it, and hence the 
bit, after it is given to Babe. It should also be concealing, i.e., Babe should not be able 
to tell from it what the bit b is. Otherwise, either Adam or Babe would be able to cheat 
successfully. 

In standard cryptography, secure bit commitment is to be achieved either through a 
trusted third party, or by invoking an unproved assumption concerning the complexity of 
certain computational problems. By utilizing quantum effects, specifically the intrinsic un- 
certainty of a quantum state, various QBC schemes not involving a third party have been 
proposed to be unconditionally secure, in the sense that neither Adam nor Babe could cheat 
with any significant probability of success as a matter of physical laws. In 1995-1996, a sup- 
posedly general proof of the impossibility of unconditionally secure QBC, and the insecurity 
of previously proposed protocols, was presented Henceforth it has been generally 

accepted that secure QBC and related objectives are impossible as a matter of principle 

There is basically just one impossibility proof, which gives the EPR attacks for the cases 
of equal and unequal density operators that Babe has for the two different bit values. The 

3 



proof purports to show that if Babe's cussessful cheating probability P c is close to the 
value 1/2, which is obtainable from pure guessing of the bit value, then Adam's successful 
cheating probability is close to the perfect value 1. This result is stronger than the mere 
impossibility of unconditional security, namely that it is impossible to have both Pf ~ 1/2 
and P^ ~ 0. The impossibility proof describes the EPR attack on a specific type of protocols, 
and then argues that all possible QBC protocols are of this type. 

Typically, one would expect that a proof of impossibility of carrying out some thing 
X would show that any possible way of doing X would entail a feature that is logically 
contradictory to given principles, as, for example, in the cases of quantum no-cloning [lO, O] 



and von Neumann's no-hidden- variable theorem [14]. In the present case, one may expect a 
proof which shows, e.g., that any QBC protocol that is concealing is necessarily not binding. 
It is important for this purpose that the framework of QBC protocol formulation is all- 
inclusive. In the absence of a proof that all possible QBC protocols have been included in its 
formulation, any impossibility proof is at best incomplete. Indeed, in the QBC impossibility 
proof, only certain techniques of protocol design, such as the use of classical random numbers 
in a quantum protocol, are included in its formulation without showing that all possible 
techniques have been included. In this paper, we will describe several new techniques that 
are not accounted for in the impossibility proof formulation. 

There are two related assertions in the impossibility proof that are crucial to both its 
claim of universality in general, and its specific claim of covering the use of random numbers 
in particular. These are the assertions that all measurements in the commitment phase of 
a quantum protocol can be postponed until the opening and the verification phases, and 
that classical random numbers can be equivalently described by pure quantum states, via 
quantum purification or the doctrine of "Church of the Larger Hilbert Space." In this paper, 
we will extensively analyze the serious problems associated with these assertions. 

The essential argument of the general impossiblity proof is described in Section |^, and 
some of its problems are indicated in Section || A proper framework for QBC protocols is 
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discussed in Section |. In Section |5], we describe several new protocol techniques that lead 
to the development of four new types of protocols not covered by the impossibility proof. 
In Section |^ we describe Type 1 protocols, in which the postponement of a measurement 
until opening and verification would yield a protocol with different cheating performance. A 
specific protocol QBC1 is presented with a sketch of the security proof. In Section |7|, the 
logic underlying Type 2 protocols is delineated. A specific protocol, QBC2A, is presented 
with an outline of the security proof. The security analysis of protocols QBC1 and QBC2A 
are not complete in the sense that exact optimality can only be proved with a sequential 
quantum decision theory yet to be developed, althought all essential points are included 
under the assumption that no party can cheat if it can be detected with a nonvanishing 
probability before a bit is committed. In Section || the widely accepted equivalence between 
classical randomness and quantum purification is analyzed. We will show that they are not 
equivalent in bit commitment. We also introduce Type 3 protocols, the security status of 
which is yet undecided. In Section we introduce Type 4 protocols which involve Babe's 
open questions related to Adam's committed evidence. A specific protocol QBC4 is proved 
unconditionally secure. The last Section HI contains a brief summary of the main points. 
The appendices, especially Appendix B, are an integral part of the paper, being separated for 
convenient organization of this rather sutble and multi-faceted subject. Also, the different 
types of protocols in this paper are not mutually exclusive. Again, they are mainly introduced 
for the purposes of organization. 
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2 The impossibility proof: Type protocols 

The impossibility proof, in its claimed generality, has never been systematically spelled out 
in one place, but the essential ideas that constitute this proof are generally agreed upon |§- 
[11]. The formulation and the proof can be cast as follows. Adam and Babe have available 
to them two-way quantum communications that terminate in a finite number of exchanges, 
during which either party can perform any operation allowed by the laws of quantum physics, 
all processes ideally accomplished with no imperfection of any kind. During these exchanges, 
Adam would have committed a bit with associated evidence to Babe. It is argued that, at 
the end of the commitment phase, there is an entangled pure state |$b), b G {0, 1}, shared 
between Adam who possesses state space TC A , and Babe who possesses TL B . For example, if 
Adam sends Babe one of M possible states {|0t»)} for bit b with probability p^, then 

|$b) = ^s/Pbi\ei)\<i>\n) (!) 

i 

with orthonormal |e$) G Ti A and given \4>bi) G TC B . Adam would open by making a measure- 
ment on TC , say {|ej)}, communicating to Babe his result io and b; then Babe would verify 
by measuring the corresponding projector \4>bi ) {4>bi \ on H B , accepting as correct only the 
result 1. 

More generally, when classical random numbers known only to one party are used in the 
commitment, they are to be replaced by corresponding quantum entanglement purification. 
The commitment of \4>bi) with probability pb« in (|l|) is, in fact, an example of such purification. 
An example involving Babe is an anonymous state protocol ||15||- ||16|| where \<pbi) m (0) is to 
be obtained by Adam applying unitary operations Ubi on state \ipk) G 7i Bl sent to him by 
Babe with probability Xk, k G {1, . . . , K}. Generally, for any random k used by Babe, it is 
argued that from the doctrine of the "Church of the Larger Hilbert Space" ||10|| , it is to be 
replaced by the purification |\&) in H Bl ® H B2 , 

i*>=E^wi^> ( 2 ) 

k 
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where the \fk)'s are complete orthonormal in HP 2 kept by Babe while 7i Bl would be sent 
to Adam. With such purification, it is claimed that any protocol involving classical secret 
parameters would become quantum-mechanically determinate, i.e., the shared state |$t>) at 
the end of commitment is completely known to both parties. Note that, from (0), this means 
that both {Afc} and {|/fc)} are taken to be known exactly to both Babe and Adam. 

Why should Adam and Babe share a pure state instead of a mixed one at the end 
of commitment? One key ingredient of the impossibility proof is the use of measurement 
purification, or quantum computers, in lieu of actually taking macroscopic measurement 
readings. During commitment, quantum registers holding the measurement results would 
be passed along instead. Furthermore, any measurement followed by a unitary operation 
Ui depending on the measurement result / would be equivalently described by an overall 
unitary operator. Thus, if the orthonormal {|<7z)} on 7i Cl is measured with result I, and then 
U\ operates on 7i C2 , it is equivalent to the unitary operation 

U = Y,\9i)(9i\®U l (3) 
i 

on 7i Cl £g> 7i c ' 2 . It is claimed that any actual measurement during commitment can be 
postponed until the opening and the verification phases of the protocol without affecting 
the protocol in any essential way. In order to maintain quantum determinacy, the exact 
{|<#)} in (0) are taken to be known to both parties, even though the measurement may be 
chosen by a party among different possible alternatives. Let us use k to denote Babe's secret 
parameter, and i to denote Adam's secret parameter, such as the i with probabilities {pi} 
in (H). These crucial assumptions of openly known {pi}, {Xk}, {\fk}}, and {\gi)} are made 
in the impossibility proof through the use of known fixed quantum computers or quantum 
machines for data storage and processing by either party ||, 0, || Appendix], even though 
the control of such machines belongs only to one of the parties. 

Generally, Babe can try to identify the bit from p B , the marginal state of |$b) on 7i B , by 
performing an optimal quantum measurement that yields the optimal cheating probability 
P B for her. Adam cheats by committing |$ ) and making a measurement on TL A to open i 
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and b = 1. His probability of successful cheating is computed through |$t>), his particular 
measurement, and Babe's verifying measurement; the one optimized over all of his possible 
actions will be denoted P A . For a fixed measurement basis, Adam's cheating can be described 
by a unitary operator U A on 7i A . Thus, his general EPR attack goes as follows. For a general 
protocol, the shared state |$t>) at the end of commitment is not necessarily of the form ([!]), 
but is nevertheless an openly known pure state on TL A ® Ti B . If the protocol is perfectly 
concealing, i.e, P B = 1/2, then p B = pf. By writing |$t>) as the Schmidt decomposition on 
H A ® H B , 

l $ b) = Vfj\ebj)\$j), (4) 

3 

where \<fij) are the eigenvectors of p B and {|ebj)} for each b are complete orthonormal in 
7i A , it follows that Adam can obtain from |$o) by a local cheating transformation U A 
that brings {|eoj)} to {ley}}. Whatever operations he needs to perform to open, which 
may involve identifying his previous operation rather than a state on Tl B , can be carried 
out accordingly after the cheating transformation. Thus his optimum cheating probability 
is P A = 1 in this case. 

For unconditional, rather than perfect, security, one demands that both cheating prob- 
abilities P B - 1 /2 and P A can be made arbitarily small when a security parameter n is 
increased H . Thus, unconditional security is quantitatively expressed as 

(US) limPf = -, limP c A = 0. (5) 

n 2 n 

The condition (|5|) says that, for any e > 0, there exists an n such that for all n > n , 
Pf - 1/2 < e and P A < e, to which we may refer as e- concealing and e-binding. These 
cheating probabilities are to be computed purely on the basis of logical and physical laws, 
and thus would survive any change in technology, including an increase in computational 
power. In general, one can write down explicitly 

^ = ^(2+lk B -pflli), (6) 
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where || • ||i is the trace norm, ||r||i = tr^r) 1 / 2 for a trace-class operator r, but the 
corresponding P c is more involved. Nevertheless, the impossibility proof shows that Adam 
can find a cheating U A that yields 

(IP) \imP? = - limP/ = l (7) 

n 2 n 

within its formulation || [L5[]. Note that the impossibility proof makes a stronger statement 
(IP) than the mere impossibility of (US), i.e., ([/]) is stronger than (H) not being possible. 

There are various gaps and implicit assumptions hidden in the impossibility proof, many 
of which seem to spring from the idea that a protocol leads to a closed quantum system all 
by itself, requiring no interaction with external agents or preparers. These gaps render the 
proof incomplete in several ways. As to be discussed in the following, some of them can be 
partially justified or closed, but many still remain and cannot be bridged. We will refer to 
protocols that fit this impossibility proof formulation as Type protocols, and will describe 
four additional types, 1, 2, 3, and 4, that are clearly not covered by this proof. Before 
proceeding, we first elaborate on the limited scope of the impossibility proof formulation. 
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3 Problems of the impossibility proof 

A plausible first reaction to the impossibility proof is: why are all possible QBC protocols 
reducible to the formulation described in the last section? More precisely, how may one 
characterize quantitatively the necessary feature of an unconditionally secure QBC protocol 
in order to show it to be impossible? To put this in yet another way, what is the mathematical 
definition of a QBC protocol, or the mathematical statement of the necesary feature of 
an unconditionally secure QBC protocol, that is required for any proof of a mathematical 
theorem that says such protocol is impossible? No such definition is available. The situation 
is similar to the lack of a definition of an "effectively computable" function. Since nobody 
calls the Church- Turing thesis the Church- Turing theorem, at best the impossibility proof is 
a "thesis" which may be found incorrect in the future. This a priori logical point is further 
elaborated in Appendix A. 

The crucial starting point of the impossibility proof asserts that, in general, a protocol is 
equivalent to one with openly known pure states |$b) on TL A ®H, B at the end of commitment. 
Let us explore what this entails. Suppose Adam commits, in a prescribed protocol, one 
of M possible |0t>«) for each b without entanglement .[] Then p B is identical or close to 
pf as before, but Adam cannot cheat. This situation is not one where a pure |$b) is 
known to Babe, which occurs only when all the randomness on p$ comes from quantum 
entanglement. Even then Adam can cheat only if the entanglement is controlled by him. 
Indeed, quantum entanglement is not a conceptual resource, but rather a physical one, 
and needs to be physically established. See Appendix B for a discussion on randomness 
generated by quantum entanglement versus that generated by other means, and the confusion 
surrounding the doctrine of "Church of the Larger Hilbert Space." There may exist protocols 
in which Adam is forced to generate randomness without being able to entangle over it during 

the course of commitment, so that at the end of commitment one has the situation described 

Tin practice, this is what would happen currently due to the difficulties of generating and maintaining 
entanglement. Some of these difficulties are not merely technical, but are actually inherent in principle. 
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above instead of openly known |$t>) on 7i A ® H B . In our Type 4 protocols, the protocol 
design technique of open questioning of evidence could be used to achieve this situation, as 
described in Section |S| and Appendix C. 

In general, if Babe makes an actual measurement during commitment, there would not 
be an openly known |$t>) at the end of commitment. The impossibility proof claims that 
such measurement can be postponed until after commitment with the use of measurement 
purification and (|3]) in place of an actual measurement. However, no proof is given that 
both P A and Pf would not be affected. Furthermore, one has to make sure that it is 
not the microscopic states Babe is thus required to store her measurement results that are 
being reversed by Adam's cheating. Otherwise, Babe can take macroscopic readings instead. 
In Section [5], we will show how cheating detection during commitment is not incorporated 
in the impossibility proof formulation with an openly known |$t>)- As a consequence, the 
situation of actual measurements during commitment has to be explicitly included in a 
general formulation of QBC protocols. 

The use of anonymous states alone, where may be unknown to Adam, leads to 
our Type 3 protocols. As elaborated in Appendix B, the distinction between an unknown 
and a random parameter is crucial in this sutiation, and the assertion that |$t>) is openly 
known cannot be maintainted. A theory of statistical quantum games is required for an 
analysis of protocols of this type. 

Assuming that |$t>) is openly known at the end of commitment, it is still not proved 
that Adam can cheat in general because special structure or mingling of TC A and 7i B during 
commitment may lead to an opening and verification procedure different from Adam and 
Babe acting on Ti A and 7i B separately. Our Type 2 protocols give one such possibility, but 
no doubt there are others. Generally in a QBC protocol with a given |<3>t>) at the end of 
commitment, different opening and verification strategies are possible, depending on exactly 
how |$b) is arrived at. Both our Type 2 and Type 4 protocols may be viewed as ones where 
these phases are more complex than the one given in the formulation of the impossibility 
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proof. In the next section we will first elaborate on the issue of what may constitute a QBC 
protocol and whether we can give it a mathematical definition. 
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4 Proper framework for protocol formulation 

The following two principles, the Intent Principle and the Libertarian Principle, govern the 
viability and meaningfulness of any bit commitment protocol in a descriptive, not normative, 
sense. That is, they would be satisfied in what we would take intuitively to be a proper 
protocol, and are not imposed in a legislative fashion, as discussed in the following. 

INTENT PRINCIPLE — Each party would act to achieve the intent of the pro- 
tocol if no cheating by the other party is (probabilistically) possible. 

Thus, each party would cooperate so that the protocol would not be aborted, which 
happens when one party is found cheating by the other through a possible cheat-detection 
mechanism during the commitment phase. Since each party can always just abort by nonco- 
operation during any stage of any two-party protocol, the Intent Principle does not exclude 
any action not otherwise possible. Thus, if the cheating detection probability leads to an 
overall cheating success probability within the given e, the protocol is a proper one and 
cannot be declared illegitimate because one party may keep cheating, though keep being 
detected. 

We also have the 

LIBERTARIAN PRINCIPLE - - At any stage of the protocol, each party can 
freely perform any possible local operation consistent with the Intent Principle for 
cooperation. 

Thus, no party can be assumed to be honest in anything if the action leads to his/her own 
advantage and would not get caught. That is, each party can cheat whenever possible, unless 
it violates the Intent Principle for cooperation. There would be no need for any protocol 
if the parties can be assumed honest. Similarly, each party can do whatever is possible to 
thwart the other party's cheating. Under the Intent Principle, a party is obliged to accept a 
protocol if he is assured that the probability of cheating against him is within the tolerance 
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level e, even though he does not know a secret parameter of the other party. The following 
Secrecy Principle is a corollary of the above two principles. 

Corollary (SECRECY PRINCIPLE) — A party does not need to reveal a secret 
parameter chosen by her in whatever manner, if it does not affect the other party's 
security. 

On the other hand, if a party has no control or checking on a secret parameter that the other 
party may use to cheat successfuly, she would not accept the protocol. 

Any finite sequence of two-way quantum communication exchanges that results in bit 
commitment under the Intent Principle is evidently a QBC protocol, whose security is to 
be analyzed under the Libertarian Principle. More importantly, any QBC formulation that 
fails to include all such sequences does not capture all possible QBC protocols. The present 
framework is more general than the "Yao model" [H], Q in that aborting the protocol on the 
basis of cheating detection is allowed during commitment, and is more specific in the explicit 
formulation of the above principles. As discussed in the preceding section, the impossibility 
proof formulation is not complete in that it misses protocols with cheating detection during 
commitment because such detection would involve actual measurements that may not be 
postponed until after commitment to yield openly known |$t>)- Also, the Secrecy Principle 
a priori contradicts directly the claim of openly known |$b)- 

The above principles do not constitute a mathematical definition of a QBC protocol. 
They are too broad and too narrow at the same time — too broad in the sense that bit com- 
mitment is not defined, and too narrow in that other possibilities may still exist. My personal 
suspicion is that the "too broad" problem, or the difficulty of defining bit commitment, is 
much more serious than the "too narrow" problem. 

As in all QBC formulations so far, it is assumed in this paper that Adam opens perfectly 
on one bit value, say b = 0. More generally, one may allow QBC protocols that open on one 
bit with a success probability Pq = 1 — e' for a small e'. It appears that protocols for which 
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neither bit can be opened with near-unity probability are of little interest. In conjunction 
with e-concealing and e-binding, one may then consider the possibility of (e, e')-protocols, 
the detailed treatment of which will be given elsewhere. 
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5 New protocol techniques, or gaps in the impossiblity 
proof 

In this section we describe three new techniques for constructing QBC protocols, which are 
not covered by the impossibility proof formulation. Our Type 1 protocol is based on the 
first technique, Type 2 on the second and, possibly, additional others, Type 3 on random 
numbers, and Type 4 on the third technique. Each of these protocol types will be discussed 
separately in the following sections. 

The first technique introduces testing on states of an ensemble, in space or in time, 
submitted by the other party, in order to check whether only admissible states of the protocol 
are being used. This was already utilized in QBC2 of Ref. fl~5| . The protocol is aborted 



if cheating is detected by a measurement. Such protocols are allowed under the Intent 
Principle, but not included in the impossibility proof formulation for the following reason. 
Babe can use many different possible Ui in (|3|), secretly chosen to be recognized only by her, 
in order to represent her choice of aborting the protocol. Thus, the resulting |$t>) is not 
known to Adam. Even if the measurement checking is postponed until verification, there is 
no proof that the cases of Adam's successful cheating do not correspond to the ones aborted 
by Babe. That is, a careful analysis of the overlaps between aborting probabilities by Adam 
and Babe with P^ and P B is required. One also has to rule out the situation where one keeps 
aborting if he finds the situation not conducive to his cheating. Generally, in accordance 
with the Intent Principle, a fixed number N c of cheating detections may be built into the 
protocol, beyond which the whole attempt at a protocol is aborted. An appropriate theory 
of statistical quantum games needs to be developed for general analysis of such protocols. 

For the second technique, consider a protocol in which Babe forms (|2|) and sends Adam 
7i Bl , with \ipk) = |'0fei)|'0fe2) i n 7~L Bl — 7~L Bl1 <8> Ti, Bl2 . Adam randomly switches the state in 
TC Bl1 to be that of l^fci) or \1pk2) by the unitary perumation P m , m e {1,2}, modulates the 
resulting state in H Bl1 by a single Ub for each b, and sends it to Babe. He opens by revealing 
b, his random permuation P m , and returning 7i Bl2 . Babe verifies by testing the apropriate 
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states in 7i Bl1 for checking b, and 7i Bl2 for checking that there is no change. Thus, Adam 
cannot entangle and use 7i Bl2 . It is possible that the protocol is both concealing and binding 
because, for the final commitment state |$b) with Adam entangling the P m with |e$) G 7i Al , 
we have H A = H M ® H Bl2 and H B = H Bl1 <g> H Bl2 . Thus, p B can be close to pf because 
TC Bl2 £g> Ti. Bvi is not available to Babe for her cheating. However, only TC Al , and not TC A , is 
avaiable to Adam's cheating, so he cannot apply the required cheating U A without being 
found cheating with a nonvanishing probability. There is no impossibility proof covering this 
situation. 

Example 1 (protocol QBCp2) 

As a specific example, consider the case H Bl = H Bl1 <8> H Bl2 <8> H Bl3 ® 7i Bli of four qubits, 
with {|^>} = {|1)|2)|3)|4), |4)|1)|2)|3), |3)|4)|1)|2), |2)|3)|4)|1)}, where {|1>, |2), |3>, |4» are, 
e.g., a fixed set S of four possible BB84 states on a given great circle of a qubit. Adam 
permutes each |^) by one of four possible P m , and returns the first qubit to Babe unchanged 
for b = 0, while shifted by 7r/2 in the great circie for b = 1. Assume first that Babe either did 
not entangle, or cannot use her entanglement in T~C B2 , so that Adam receives one of the four 
possible \ipk}- It is then easy to see that p^ n (^fc) = Pi^ijPk) for all k. It is also not hard to 
see that no entanglement of the four possible P m would produce a rotation on the first qubit 
while not disturbing the others. Thus, Adam cannot cheat perfectly and has a fixed P A for 
this protocol which is not arbitrarily close to one, even though it is perfectly concealing. In 
Section 0, we will indicate how Babe can be effectively denied her use of entanglement via 
U B2 . 

In the third technique, Babe asks Adam some of infinitely many possible questions con- 
cerning the evidence that Adam committed, demanding the answers to be presented to her in 
a random fashion, specified by her as a quantum code. Since Adam cannot entangle this new 
random code on top of the entanglement he already formed, he could only cheat successfully 
if the required presentations of the answers have been pre-entangled by him. However, he 
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can pre-entangle answers to only a finite number of questions, and thus can only cheat with 
an arbitrarily small probability. 

Each of these techniques will now be elaborated upon in the different types of protocols. 
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6 Some measurements cannot be postponed: Type 1 
protocols 

In this Section we will show that the protocol technique of testing for cheating detection 
alone, with resulting protocols referred to as Type 1, could already lead to unconditional 
security. The general idea leading to our protocol QBC1 would be first described before 
security analysis and a precise statement of the protocol. 

If carried out honestly, the protocol would work as follows. Adam sends Babe a large 
number n of qubits named by their temporal position with states selected randomly and 
independently from the set Sq of four BB84 states on a given fixed great circle C of the 
qubits. Babe randomly selects n — no qubits, tests them by asking Adam what these states 
are, and verifies them, with n and n large so that the remaining n states would also be 
distributed nearly uniformly on Sq. She then picks randomly one of the remaining Uq states 
and sends it Back to Adam who would modulate it by Uq — I or U\ = R(tt), rotation by 7r 
radians on the circle C, depending on b = or 1. He opens by revealing b and all the n 
qubit states. Babe verifies by checking all the qubits in her possession. This protocol QBC1 
is e-concealing and e-binding for the following reasons. 

Adam may entangle each individual qubit he sends in the form (|2]) with j^) e Sq, and 
then measure {|/fe}} when asked to reveal by Babe. If he sends in other qubit states, the 
chance he would escape detection is arbitrarily small for large n—n®. If he entangles across 
qubits, that merely reduces his freedom in response to Babe's testing. When he accepts the 
qubit sent back by Babe, he would have to measure {|/fc)} in all the remaining qubits before 
his modulation, or else he could not commit because there would be no difference between his 
two Ub actions. If he measures on the qubit sent back by Babe, he would not be able to open 
perfectly for b = 0. More significantly, the information is of little use to him since he does 
not know the name of that qubit. He can only cheat by declaring b = 1 and switching the 
names of some of the qubits, hoping that it would fit his cheating b = 1 opening. However, 
the chance that would succeed without being detected can be seen to be arbitrarily small 
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for large n . 

This protocol is e-concealing because all of Babe's possible cheatings would be unsuc- 
cessful as follows. With a high probability, Adam checks the qubit sent back by Babe with 
a question on its name, and verifies it is correct. He would accept the qubit at some point. 
If Babe sends in a state different from one in Adam's ensemble, the probability that would 
not get detected is arbitrarily small when Adam tests a large number m C n °f times. 
Assuming that both Adam and Babe employ a randomized strategy applied independently 
from qubit to qubit during Adam's testing, it can be readily shown that the protocol is e- 
concealing and e-binding for sufficiently large n and n . This different-state attack by Babe 
includes her possible entanglement, even though it can be shown independently that her 
entanglement would not help. She can also try to determine the qubit state she sends back 
by measuring the other qubits in her possession, but these are not correlated to the qubit 
she sends back. We have the folowing protocol QBC1. 

PROTOCOL QBC1 

(i) Adam sends Babe a large number n of independent qubit states drawn 
randomly from So, a set of openly known BB84 states on a given 
great circle C of the qubits. The qubits are named by their temporal 
positions as received by Babe. 

(ii) Babe randomly picks a large number no of these qubits, sets them 
aside, and asks Adam to open the remaining ones. She verifies them 
to be correct and distributed nearly uniformly, as prescribed in (i). 
Otherwise the protocol is aborted. 

(iii) Babe sends back one of the no remaining qubits to Adam, who checks 
it a sufficient number of times in a game with Babe, accepts one, and 
modulates it by either Uq = I or U\ = R(tt), rotation by ir radians on 
C, and sends it back to Babe. 

(iv) Adam opens by revealing b and all the remaining qubit states. Babe 
verifies by measuring the corresponding projectors. 



In addition to being an outline, the above security analysis is incomplete because the 
optimal sequential decision in both Adam's and Babe's testing have not been analyzed. A 
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new development of quantum sequential decision theory and quantum games is needed for 
such an analysis. In general, a fixed number N c of cheatings by each party is allowed as a 
protocol design parameter in a quantum game situation. A party is not permitted, i.e., loses 
the game, if found cheating more than iV c times. It is evident that QBC1 is unconditionally 
secure if N c is taken to be zero or a small number. I believe that, for any given N c , n and 
n can be chosen so that the protocol is unconditionally secure for any e > 0. 



Note that QBC1 is not just a cheat-sensitive |18fl protocol. In particular, the cheat 
detection is done before the bit is committed. As shown in the preceding section, it would 
not be equivalent to a protocol with an openly known |$t>) at the end of commitment. 
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7 Who has which space: Type 2 protocols 

The use of the first technique in Section [|, test for cheating via measurement, has the effect 
of changing and pinning down the e-concealing condition of the protocol, as compared to 
one without the test. Generally, the condition 

~pf(tf) forone|^) G H Bl ®H B \ (8) 

while weaker than 

p B (*) ~ pf (*) for every \^) eH Bl ®H B \ (9) 

is not equivalent to 

(${il>k)~P?(l>k) vmen B \ (io) 

Specifically, (M) does not imply ( JTOD because there can be a l^i) for which p B (ipi) and p B (ipi) 
are far apart under (|8J) with Ai small [TjJ. Also, it is easy to check that, in Example 1 of 
Section H, (|i0|) holds with equality, but there is a finite gap for \\p B — pf ||i upon entanglement 
with 7i B2 . This renders /a/se the claim that the use of random numbers as in fllCf ) can be 
equivalently described by their quantum purifications as in (H). Further discussion os this 
point is given in Section |9|. Here we note that (H) is, in general, a sufficient but not necessary 
(at least not having been proved necessary) condition for the protocol to be concealing, again 
to be further discussed in Section || It is rather a severe restriction on the protocol that can 
be relaxed to (||) with test for cheating. 

A Type 2 protocol involving also the first technique of cheating detection may work as 
follows. Similar to QBC1, a large n-sequence (ra-fold tensor product) of qubit states, drawn 
independently with probability from a fixed set So = {\ipk)}, would be sent from Babe 
to Adam, each state named by its position in the sequence. Adam puts aside randomly 
chosen n of them, and asks Babe to reveal the remaining n — n ones for testing. For 
large enough n — no, Babe cannot use any \^/) G 7i Bl ® Ji 2 other than that of the form 
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(0) without getting caught with probability arbitrarily close to one, so that the concealing 
condition is and not (||). If Adam randomly picks one of the remainng no, or m for 
full unconditional security, modulates it by a single for each b, and return it without the 
name to Babe, she would not be able to use her entanglement (|8|) effectively on any qubit. 
This technique is similar to the use of decoy states from Adam to Babe in and results 
in an effective concealing condition (10) in place of (J|), although (H) still applies overall. 
While the use of a single does not allow Adam to cheat successfully on a fixed qubit, the 
freedom from the no-ensemble still allows him to entangle and launch an EPR attack. This 
attack is thwarted via the second technique of Section [5], which demands that Adam return 
the remaining no — 1 qubits so Babe can verify that they have not been disturbed. Example 
1, our protocol QBCp2, can be extended in this way to become an unconditionally secure 



protocol QBC2, which is a modified version of a protocol with the same name in Ref. [15 



Alternatively, the same logic applies to the following protocol, which is somewhat simpler. 



PROTOCOL QBC2A 

(i) Babe sends Adam n qubits named by their temporal position, each 
drawn independently with equal probability from So, a fixed set of 
four possible BB84 states. 

(ii) Adam randomly picks no of these qubits and sets them aside, and asks 
Babe to open the remaining n — riQ ones. He verifies them to be correct 
in that they are distributed as prescribed in step (i). Otherwise the 
protocol is aborted. 

(iii) Adam randomly picks m out of the no remaining ones, modulates each 
by the same Uq = I or U\ = R(tt), rotation by it on the great circle 
containing So, and sends them back to Babe. 

(iv) Adam opens by revealing b and returning the remaining riQ — m qubits. 
Babe verifies by measuring the corresponding projectors. 



By proper choice of m, n , and n, this protocol can be made both e-concealing and e- 
binding for any e > 0, given that Adam opens perfectly on b = 0. The main steps of the 
proof may be outlined as follows. Babe can cheat by entangling over each individual qubit 
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and also by using a distribution of qubits more biased than the one presented in step (i). To 
defeat her qubit entanglement cheating, let n /n = E\. The probability that she would pair 
H Bl1 with the correct H Bai , where H B = H Bl ®H B \ H Bm = H Bml ® . . . ®H Bmn , me {1,2}, 
is thus 6\. If the pairing is incorrect, the trace distance in (f7|) is not affected because, for 
any three general states p, p', a, 

||(p-p')®HIiHIp-p'IIi- (ii) 

If the pairing is correct, we take the upper bound value of two for the trace distance. By 
making both n and n large and testing on the arbitrary n — n qubits, one may guarantee, 
to within any 62 > for the resulting P B = 1/2 + 62 with €2 — > in the limit uq — > 00 and 
n — > 00, that the distribution of states in the two sets of qubits is indeed the one prescribed. 
Accordingly, Babe can only get P B = 1/2 + £3 for £3—^0 from the m committed qubits 
for any fixed m. This situation has been analyzed for QBC2 in Ref. |T5|| . From the union 
bound on probability, one may take e± + e 2 + e 3 < e, and the protocol becomes e-concealing. 
The asymptotic situation at m,rio,n — > 00 is quite apparent even in the absence of any 
quantification with respect to the e's. The protocol is binding on Adam, because m can be 
chosen large enough so that Adam's optimum one-qubit cheating probability pa becomes 
P7<e. 

This QBC2A utilizes the first technique and denial of entanglement matching, in addi- 
tion to its use of the second technique, which makes it Type 2. Even though there is yet no 
example, one cannot a priori rule out the possibility that the use of the second technique 
alone, as described in Section ||, would lead to an unconditionally secure protocol. Even 
if that turns out to be impossible, the impossibility proof formulation does not cover such 
situation, and need to be extended for a proof. 
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8 Classical randomness and quantum purification: Type 
3 protocols 

A cornerstone of the general impossibility proof is the assertion that classical randomness can 
be equivalently described as quantum determinacy via purification, say by @, through the 
doctrine of "Church of the Larger Hilbert Space," a technique also widely used in quantum 
coin tossing. But equivalent for what? In the following, we analyze the ways in which they 
are not equivalent for use by Babe in a QBC protocol. The best argument I know for their 
equivalence would be given alongside. Appendix B is essential for clarification of this issue. 

First of all, it is clearly not true that all classical randomness can be reduced to that 
arising from quantum description of a system. After all, there were many scenarios for the 
occurrence of classical randomness before the rise of quantum physics, including especially 
classical statistical mechanics. Even if one grants a determinate quantum description for the 
underlying classical randomness involved, it is unreasonable to assume that any party would 
possess the detailed knowledge to write down the complete quantum description. However, 
in the context of QBC protocols, it is not only reasonable, but, in fact, mandatory to consider 
such purification (§) for which a party can form and use such purification for cheating. Thus 
it is a consideration of entanglement cheating, not the "Church of the Larger Hilbert Space," 
that compels one to consider (H). 

The following argument, in the spirit of the impossibility proof, appears to show that 
the exact {|/fe)} in (|2]) need not be known by Adam for finding his cheating transformation. 
Let the protocol be e-concealing as a consequence of Pq{^) being close to pf (ty) for one 
generated by Babe in the form (fj). Assume Babe verifies by first measuring {|/fc)} and then 
checking Adam's opening. The commutativity of Adam's and Babe's operations shows that 
the protocol performance is the same whether Babe measures during commitment or 

after Adam opens. The fact that Adam can cheat after Babe measures {|/fc)} shows that the 
cheating must be independent of the specific {|/fc)}, even though it is obtained for a known 
{life)}- Note that this argument does not extend to the knowledge of {Afc}. 
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Nevertheless, even just for {\fk)} this argument contains a major gap, which is, in fact, 
a general gap in the impossibility proof: it is not guaranteed that there is only one veryfing 
measurement for the protocol. In the particular case of randomness described above, it 
means that the split measurement of {|/fc)} of 7i Bl , and then a measurement on Ti, B2 , is not 
the verifying measurement of II that has been proved susceptible to cheating as prescribed 
by the impossibility proof. It is not true that whenever II is verified on a cheating state, 
then so is the split measurement. The cheating probability P^ depends on the verifying 
measurement. For an arbitrary protocol, the impossibility proof formulatoin does not, and, 
in fact, cannot specify what the possible verifying measurements could be. There is no 
proof given that there cannot be more than one verifying measurement, for which different 
cheating transformations are needed. It turns out that for several types of protocols, though 
not for all, I can prove that this is indeed the case in the sense (IP) of (|7]) for all perfectly 
verifying measurements, i.e., measurements that yield the "yes" result with probability one 
corresponding to the opening bit value. 

However, condition (|8J), which is taken to be the e-concealing condition in the impossi- 
bility proof, is not a proper concealing condition due to the Libertarian Principle. Indeed, 
while (ID implies that Adam can cheat according to the impossibility proof, the situation 
is misrepresented in that it may be Babe who can actually cheat by using a different |\&). 



Two examples are given in Ref. |T6|. It makes no sense to insist that Babe has to stick to a 
prescribed {A*,}, in contradiction to the Secrecy Principle, so that the protocol is concealing 
and Adam can cheat, while Babe can actually use a different {Xk} and instead cheat suc- 
cessfully herself. There is no reason for Babe to commit such bit suicide. For any protocol, 
one cannot simply say that a protocol is now taken to be e-concealing. One has to describe 
quantitatively a necessary e-concealing condition for the protocol before any meaningful per- 
formance analysis can be made, which is something the impossibility proof fails to do in 
general. Thus, there is no impossibility proof whenever anonymous states are used in a 
protocol. 
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Suppose that condition @ is to be used, which is a sufficient condition that has not been 
shown to be necessary for concealing, as to be discussed later. For a class of anonymous-state 
protocols that are perfectly concealing, it may be shown (IB], [TJ], ^Uj that the cheating U A 
is independent of any {A^} and {\fk)} in (0)- The reason why secure protocols based on 
classical random numbers alone are hard to construct is not necessarily because one forgets 
quantum purification. It is because concealing under quantum purification is often more 
restrictive than concealing under classical randomness, as in protocol QBCp2 or Example 
1. We say that a protocol is of Type 3 whenever states of the form @ are used by Babe. 
An example is QBC3 of Ref. Under e-concealing (Q) for such protocols, it is not known 
whether P C A is close to one independently of {A^}. Thus, there is no impossibility proof if 
(§) in a Type protocol with (0) is replaced by @ or just (|lCj). For such Type 3 protocols, 
unconditional security may arise in the following way. Since Adam does not know {A&}, one 
may consider first a fixed {Afc} and then average over all possible cheating U . Such an 
average cannot produce P A ~ 1. The performance analysis for the overall situation seems 
rather involved, and new approaches may be needed to see whether security is actually 
provable. A direct approach to the analysis of such protocols is given in Ref. [TP]. However, 
what we have here is actually a game-theoretic situation involving freedom on both sides 
with opposing objectives with regard to the performance criteria P C A and Pf . It is most 
appropriate to regard {A*,}, {pi}, etc. as unknown with no meaningful distribution on them, 
a situation that happens in many problems of classical statistics whenever there is a lack of 
statistical regularity or meaningful ensemble, the situation we have here. See Appendix B 
for further elaboration. 



It is argued in |2TJ that {A&} has to be taken openly known in a meaningful protocol, 
because there is no guarantee that it can be kept secret. In any cryptographic protocol, one 
has to assume that anything one party does on her locality is not known to another party 
in a distant locality, relativity or not, or else nothing can be a secret, including a secret key. 
The issue is not why Adam does not know {A^}. It is why he would know. Indeed, one may 
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use the same reasoning and assume Babe knows U A so she can defeat Adam's cheating. The 
actual situation is that {A&} is an unknown parameter in an infinite-dimensional space over 
R or C, as discussed in Appendix B. The conclusion arrived at above can also be repeated 
in this regard. Under proper concealing (0), there is no need for Adam to know {A^} in 
accordance with the Secrecy Principle. There is no way Adam can find out which particular 
{Afc} Babe uses. It is entirely her private affair. Without @, Babe is not going to commit 
bit suicide with (||). She would use a different {A^} instead. 

Generally, it is difficult to pin down a necessary condition for e-concealing for an arbitrary 
protocol without utilizing specific information about the protocol details. In fact, the very 
meaning of concealing in an arbitrary protocol has to be decided upon. Thus, (H) may be 
too strong because Babe in general does not know the distribution jjOj} on Adam's secret 
parameter i. It may not be necessary for e-concealing that p$ ~ pf holds for any {p^} 
due to averaging or to the game situation involving {Afc} just discussed. Thus, a general 
impossibility proof for Type 3 protocols would face the immediate obstacle of not being 
able to specify quantitatively either a necessary e-concealing or e-binding condition. One 
the other hand, security proof for a particular protocol is much easier because sufficient 
conditons and protocol mechanism can be specifically exploited. 

We summarize the main points concerning random numbers. 

1. Classical randomness is not generally reducible to quantum uncertainty. 

2. The condition of e-concealing with random numbers is not equivalent to its quantum 
purification version, i.e., (H) is not equivalent to (|10D . 

3. The coefficients {Xk} in the quantum purification (^|) are generally not known to the 
other party. 

4. The concealing condition (Q) used in the impossibility proof is, in general, neither 
necessary nor sufficient for concealing. 

5. There is no general impossibility proof when anonymous states are involved in a pro- 
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tocol. 

6. With random k and i, it is difficult to formulate a necessary e-concealing or e-binding 
condition in order to start an impossibility proof. 

7. The general situation of an unspecified protocol, even the simple case (|1|), is game- 
theoretic. 
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9 Too many possible questions to entangle: Type 4 
protocols 

In Type 4 protocols, the unentangled state \4>u) is brought about from the entangled openly 
known |$t>) through the asking of questions related to the evidence by Babe. As a con- 
sequence, one arrives at the situation discussed at the beginning of Section ||, where the 
randomness that makes up is not entangled under Adam. The ideas and procedure are 
best explained for the specific case of protocol QBC4 in the following. 

Adam sends Babe a sequence of n qubits, each in either one of {\<fi), \<fi')}, such that 
an even number of \<p') corresponds to b = 0, and an odd number to b = 1. As shown in 
Appendix C, the protocol is e-concealing for large n for any |(0|0')| 2 = e\, and Adam has 
the usual EPR cheat with the entanglement 

l$o) = X}v^te)l0oi) ( 12 ) 

i 

for pi = l/2 n ~ 1 . It was suggested in v2 of this paper ( |quant-ph/020708^ v2 ) that Babe now 
asks Adam to reveal to her n — n qubits, randomly selected out of n, with n remaining 
ones sufficient to ensure e-concealing. The idea is to force him to measure the {|ej)} in 
(|i~2|) to pin down a specific \4>oi), thus destroying the entanglement. However, Adam can 
respond as follows. Let i = . . . ,i n ), i t G {0, 1}, I G {1, . . . , n}, \(p 0i ) = |0 Oil ) . . . \<Po in ), 
\4>oii) £ {10); 10')} i n eacn 7~L B — <S>i^i2- Then |$ ) can be extended through local 
operation to 

l^o) = X)v^l i i)---l i n)|ei)l^oi) (13) 

i 

in H A ' ®1-L A ®H B , H A ' = (^"=1 ^2 a product of qubits, and (ii = 0\ii = 1) = for each I are 
two orthogonal states from the BB84 state set Sq on a fixed great circle C of each qubit, with 
\ii = 0) corresponding to \<f>) and \ii = 1) to \<f>'). In response to Babe's question on a subset 
S C {i±, . . . , i n }, \S\ = n — n , Adam sends Babe the state spaces TC12 for all I G S. Babe can 
measure on ® lGS 1i.i2 to find the answer to her question and verify on the committed {|0oi ; )} 
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in JCftS. Since the protocol is concealing with Babe posessing H B ® {(Sties^ 12 ) ano - Adam 
possessing H A> =H A ® (<8) i6Sc H a ) , S c = {1, . . . , n} - S, Adam can cheat successfully by 
finding the proper cheating transformation U A ' on H A ' . 

Following our same idea, the protocol is now extended as follows. Babe may ask Adam 
to do the following instead. He is going to provide Babe with the \ii) for all Z, but with each 

turned with probability 1/2 on the great circle C to the other two orthogonal BB84 
states for b = and b = 1. That is, with S = {|1), |2), |3), |4)} where (1|3) = (2|4) = 0, the 
\ii) is equally probable to be {|1), |2)} for a and {|3), |4)} for a \<p'). The distribution 
would be across the n |i;)'s. It is easy to see, as shown in Appendix C, that the protocol 
remains e-concealing for any e± by making no sufficiently large. Now Babe asks Adam to 
reveal a random set of n — n |i/)'s and verifies them on her corresponding |0 O i ; )'s, making 
sure that all states in So appear within, say, the Chernov bound limit. Since Adam has not 
entangled over the above randomness, from his point of view p B and pf are not close at all. 



Let F be the Uhlmann fidelity tr^/ {PoY^pf {Po) 1 ^ 2 between p B and pf under flT2"|), and F' 
for the situation just described. It is difficult to evaluate F', but one can bound it loosely 
by F' < -^F from the fact that one has (ITl) now with a single tensor product extension 
§Q l \ii) for each |0o«) constructed from ^o- The factor ^ comes from the largest value of a 
single overlap (z; = 0|^ = 1), the minimum between |0o«) and \4>ij). From ( |C.7| ) in Appendix 
C, Adam's optimal cheating probability satisfies P A < Fa(Pq , pf) with Fa computed from 
his point of view. Thus, we have arrived at P A < contradicting the impossibility proof 
assertion (IP) of (0). By utilizing this scheme repeatedly, one may obtain an unconditionally 
secure protocol, as in the way described in QBC2 of |15 |. However, we can also achieve 
unconditional security as follows. 

Babe now asks Adam to present in two equally probable states {|1), |5)} with |5) = 
i2(0)|l> for |0) or i t = 0, and in {|3), |6)} with |6) = R(6)\3) for \<j/) or i x = 1. The angle 6 is 
chosen so small that the overlap (5|3) is e instead of A= in the case of Sq. Thus P A < e, while 
can still be made < e by having no sufficiently large. Babe would ask Adam to reveal 
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n — no of these \ii)'s and verify them as above. Adam's probability of successful cheating by 
whatever action is exponentially small in n — no, but we do not need to quantify it under 
the assumption he needs to open perfectly for b = 0. That would only occur if he measures 
{|ej}} in (|H5p to answer. Babe can even postpone the measurement to the verification phase. 



Adam cannot change (|13|) to one that allows him to cheat from pre-entanglement on an- 
swers to the questions, due to local state invariance as follows. Consider just the pair of qubit 
states at the same Ith position \ii)\4> 0il ) with all other qubits fixed. When a measurement of 
{|1), |3)} is performed on H12, the state on /Q2 is a superposition of \</>){<j>\ and under 
(|13|) when averaged over the measurement results. If the is entangled to |0oij) over & U 

four states in Sq or {|1), |5), |3), |6)} in the required form 

4 

5>>l**> (14) 

with the proper matching |0o;;)> such a measurement would produce a state on /Q 2 with non- 
vanishing interference terms that can be easily computed. No local operation 
on 7i A ' can change the state of /Q2 this way, as a consequence of local state invariance stated 
in Appendix C. Intuitively, it is clear that Adam cannot entangle on top of entanglement. 
Mathematically, he can extend ( |13"D as a tensor product, but not as a direct sum. 

More generally, Babe can ask Adam to present his answers for each qubit in any coded 
form in one qubit, two qubits, or m qubits. She can adjoin an integer m to precede % in the 
binary representation with m + i bits, present Adam with her secretly chosen computable 
and invertible arithmetical function / : N — > {0,1}, and ask for the answer f({m,i}). If 
Adam is honest and submitted unentangled \4>oi), he could answer straightforwardly. With 
his entanglement, he could do the quantum computation in 

|$o>=Ev^i/({^O))l^}|0oi}, (15) 

i 

passing H. A ' with state \ f({m, i})) to Babe. Babe can ask for presentations as in the parity 
case above. Indeed, the possibilities of presenting the individual parity answers in different 
spaces alone lead to an infinite set of possible questions of arbitrarily large cardinality. 
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To be able to cheat under such open questioning, Adam has to pre-entangle the answer to 
every possible question. However, he can only pre-entangle the answers to a finite number of 
questions. Indeed, even if he pre-entangles an infinite number, he cannot locate the answer 
by an algorithm, say the set of Turing-computable functions alone is already not recursively 
enumerable. For the parity function, Babe can ask questions involving subset parities on the 
n qubits, already generating 2 n types of questions that is too many to entangle for n > 410 
even if one can use all the physical resources in the Universe. See Appendix D for this 
physical limit. 

As elaborated in Appendix B and in Sections |3|-|5], Babe can automatize a secretly chosen 
rule to specify the questions she may ask. If one wants to talk about probability, it is fair 
to say that the probability her question was pre-entangled by Adam is arbitrarily small. 
Alternatively, to avoid unfruitful terminological debate, one may just say that Adam can 
cheat if Babe's questions drawn from an infinite set fall under Adam's finite set of pre- 
entangled questions. This situation was not realized before, and serves effectively to produce 
an unconditionally secure protocol. It may be emphasized that if |$t>) is openly known, 
Babe can always ask a further question that is not pre-entangled in it, thus rendering it 
unentangled, as discussed above. 

PROTOCOL QBC4 

(i) Adam sends Babe a sequence of n qubits, each being either one of 
{\4>), l^'}}) such that an even number of |</>')'s corresponds to b = 0, 
and an odd number to b = 1. 

(ii) Babe asks Adam questions that are sufficient to pin down the total 
committed state, requiring him to present his answers in a specific 
randomized form. 

(iii) Babe verifies some of the answers by further questions on how Adam 
actually randomized them. 

(iv) Adam opens by revealing all the unknown states to Babe. She verifies 
by corresponding measurements. 
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This protocol bears a resemblance to a Type 3 protocol, in which Babe uses a parameter 
unknown to Adam. The difference is that an additional technique, an open questioning of 
evidence, is used to guarantee e-concealing for each unknown value that would require a 
different cheating arrangement by Adam, something that is difficult to achieve by means 
of anonymous states alone. Also, there is no discrete approximation to the infinite set of 
possibilities in this case, in contrast to the probabilities {A^}. Furthermore, when Adam 
misses the value, his cheating probability is vanishingly small, in constrast to a mistmath 
between U and {A^}. 

To recapitulate the logic of Type 4 protocols: by asking open questions concerning the 
evidence with answers presented in a specific randomized form chosen secretly by her, Babe 
ensures that Adam can only cheat successfully by pre-entangling the whole question correctly. 
However, he can do that only with a vanishingly small probability. It is appropriate to 
emphasize that this type of protocols shows that, other than unknown parameters, the 
specifics of a protocol may play a significant role in rendering untenable the assertion that 
an openly known |$t>) is obtained at the end of commitment. This issue has not been 
adequately addressed in the impossibility proof. 
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10 Summary and conclusion 

If there is a general impossibility proof for secure QBC, one should be able to apply it 
schematically to any proposed QBC protocol to show that it is insecure. This often cannot 
be done. The reason is that the impossibility proof formulation is quite restrictive, and many 
nontrivial details in a systematic proof have not been spelled out. Some such criticisms have 



already been discussed in Ref. fll5|l , but they are analyzed quantitatively in this paper. 

We introduced several new techniques for protocol design, not covered by the impossibility 
proof formulation which only applies to what we call Type protocols. We presented three 
new types of protocols: 

• Type 1 — measurement for cheating detection, 

• Type 2 — shifting of evidence state spaces, 

• Type 3 — utilization of anonymous states, 

• Type 4 — open questioning of evidence. 

A specific Type 4 protocol, QBC4, is proved unconditionally secure. We indicateed how 
a Type 1 protocol, QBC1, and a Type 2 protocol, QBC2A, may be proved secure. The 
situation is yet undecided for Type 3 protocols. There is no impossibility proof, but there 
is no protocol which is clearly secure either. A general theory of quantum statistical games 
needs to be developed for addressing many such QBC problems in a satisfactory manner. 

The content of this paper hopefully makes clear the vast richness of this subject yet 
to be uncovered, especially for protocols that can be practically implemented in a realistic 
environment. 



35 



Appendix A: no impossibility theorem without QBC 
definition 



It is generally believed by mathematicians that a mathematical theorem can only be obtained 
from precise mathematical definitions. In the impossibility proof of trisecting the angle 
7r/3 by straightedge and compass only, for example, the action of these two instruments is 
precisely captured mathematically by a quadratic extension field of the rational numbers. Do 
we need a definition of a QBC protocol to have a theorem which says that unconditionally 
secure QBC is impossible? After all, E. Witten got a Fields Medal in mathematics for work 
that made essential use of the Feynman path integral that M. Atiyah, a former Fields medalist 
and judge on the medal's decision panel, commented: "... provided one believes that the 
integral makes sense," to which Witten had the reply: "We have forty years of experience of 



computing these types of integrals" |22|| . Regardless of one's opinion concerning the Feynman 
path integral (which, I think, is one of the greatest scientific creations), it is not similar to 
a QBC protocol which, unlike the path integral, has no definite expression that could serve 
starting point. 

A closer analogy to a QBC protocol is an "effectively computable" function, a function 
whose value for any specific argument can be "mechanically" obtained in a finite number 
of steps without the intervention of "intelligence." The well-known Church- Turing thesis 
says that any effectively computable function can be computed recursively or by a Turing 
machine. It can be cast as an impossibility statement: there is no effective procedure that 
cannot be simulated by a Turing machine. It was found that a function that can be computed 
by a method that is clearly effective, such as Post machines and Markov algorithms, is indeed 
also Turing-computable. However, nobody calls the Church- Turing thesis the Church- Turing 
theorem. This is because there is no mathematical definition of an effective procedure. The 
logical possibility is open that someday a procedure is found that is intuitively or even 
physically effective, but which can compute a nonrecursive arithmetical function. 

Thus, in the absence of a precise definition of a QBC protocol, one would have at best 

36 



an "impossibility thesis," not an impossibility theorem. (This view was emphasized to the 
author by Masanao Ozawa.) This concern about definition is not scholasticism. There 
is no definition that would characterize all classical cryptographic protocols, say for bit 
commitment, partly because, I believe, of the open possibilities described in Section ^] of 
this paper. It is at least not clear why a definition in the more general quantum case can 
ever be found. Just as there appear to be many different forms of effective procedures, there 
are many different QBC protocol types that appear not to be captured by the impossibility 
proof formulation. To uphold just the "impossibility thesis," one would need to prove that 
unconditionally secure QBC is impossible in each of these types — four of them are given 
in this paper. My contention is that not only is there no impossibility proof for these four 
types, but in fact unconditional security can be obtained in at least three of them. 
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Appendix B: unknown versus random parameters and 
"Church of the Larger Hilbert Space" 

A considerable amount of confusion surrounds the equivalence between the use of classical 
random numbers and their quantum entanglement purification via the doctrine of "Church of 
the Larger Hilbert Space," which is employed in various subareas of quantum information and 
quantum cryptography. There is also confusion about whether there exists a secret parameter 
with no probability distribution that can nevertheless be automatized by a machine. These 
questions are tangled up with a basic assumption or assertion of the impossibility proof that, 
in any QBC protocol, there is a publicly known pure state |$) to start with, which results in a 
publicly known |$t>) at the end of commitment, connected to |$) by a publicly known unitary 
transformation. In this Appendix, we will show that in the making of a QBC cryptographic 
system, some external agent is always involved, and the system is always open; thus, the 
above assertion is untenable. In the process, we hope to bring out some clear demarcations 
that would dispel various confusions. 

To begin with, not every unknown parameter can be, or should be, modelled as a random 
variable for different reasons, which is well-known in classical statistics. One reason is the 
impossibility of assigning probabilities to an infinite sample space in some situations, such as 
a uniformly distributed random variable with the values in the positive integers N or the real 
numbers M, and similarly on general countably infinite or uncountable spaces. This situation 
occurs in QBC4 of Section when the space of all possible actions is of arbitrarily large 
cardinality, or, say, just \N\, even though everything is finite to start with. A second reason is 
that there may be no meaningful ensemble for the parameter r, which should be just left as an 
unknown parameter to be drawn from a given set, finite or infinite. This happens in various 
circumstances, such as the measurement of a physical (say, astronomical) characteristic that 
takes on a fixed value to be estimated. Such estimation of an unknown parameter without 
the use of a priori information on its distribution is, in fact, very common. In quantum 
teleportation, one talks about the fidelity of receiving a state of a qubit that is just 
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unknown, not with respect to any uniform distribution, so that an ensemble is described by 
the density operator J/2. The ensemble is, rather, \ip), \if)), . . . , and the scheme is supposed 
to work for any not on 1/2. A third reason is that often r is subjected to the control 
and decision of an agent, and no probability distribution has a meaning in terms of relative 
frequency, as it may have in other cases. Indeed, the frequency interpretation of probability 
has been rejected from the beginning in decision theory | 23fl , for applications to which the 



"subjective" interpretations are more meaningful. Not only may r be used only once, but 
also the controlling agent may use it repeatedly (i.e., r, r, . . . ) in an actual ensemble once it 
is decided upon. There is no actual ensemble that yields r 1; r 2 , . . . according to whatever 
probability distribution. 

This last situation happens in the use of anonymous states in a QBC protocol. Suppose 
Babe generates (13) instead of \ipk) in an entanglement purification. The state of 7i Bl or 
7i Bl <g> 7i B2 is anonymous to Adam because he does not know exactly what it is — Babe 
has the freedom to choose Afc in (0). According to the Secrecy Principle of Section ^ 
under a proper concealing condition she can pick {Afc} with any rule made up by her and 
unknown to Adam, either for one use or in repeated uses of (|2|) for a sequence of different bit 
commitments. In such a sequence, she can use exactly the same value, or use different values 
generated according to the parameters decided by another value. For example, assuming all 
possible {Afc} form a finite set, she can pick one randomly and stick to it in a sequence of 
commitments. This can clearly be automatized, and the result does not appear to Adam as 
an ensemble with a distribution {Afc}, but rather as an "ensemble" with one fixed unknown 
{Afc}. 

Now we are led to the equivalence between random numbers and their quantum purifi- 
cations. I assert that the following sequence of states generated by random numbers with 
probability {Afc} in H Bl , 

0!,...,^,... Ifr) e {\ip k }} (B.l) 
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is different from the Ti Bl states in the sequence obtained by the purification \1> of (0): 

|$) =^V / ^l^)l/fc), (B.2) 

fe 

where = |$) for every /. In a specific instance 0/ of ( |B.1| ) there is no average over 
{ | ■?/>&)}, but there is always such an average for each Under ( |B.2| ), which can be used 
for cheating in the form (|I|), the agent controlling 7i B2 of (0) or 7i A of ([I]) can select a 
preferred ensemble in Ti Bl or Ti B , which makes EPR cheating possible. On the other hand, 
the ensemble in ( |B.ip is fixed and cannot be changed. Quantum entanglement is a physical 



resource that needs to be established. Not all randomness is reducible to that of quantum 
entanglementQ Indeed, ( |B.1|) does not allow EPR cheating. This is the situation in QBC4, 
created through Babe's questioning on Adam's measurement purification states. Note that 
the agent controlling (B.l| ) or (|B.2|) may choose to generate any ipk on the <^'s or $;'s. This 



situation with unknown parameters is also relevant to our Type 3 protocols. 

The above difference can be rephrased as follows. In the density operator expansion 

P = ^2 ^\4>k)(4>k\, (B.3) 

k 

the randomness in k may come from a variety of sources. If all of it comes from quantum 
entanglement, then (0) applies, and the agent controlling 7i B2 can select the ensemble in 
Ti, Bl . If some of it comes from elsewhere, it would not be equivalent to (0), and ensemble 
selection or entanglement cheating is limited or becomes impossible, depending on the exact 
form of the joint state. The occurrence of such non-entanglement randomness is always 
possible because the system is subject to intervention by agents. In any meaningful and 
realistic formulation of the problem, the agents' possible actions are infinitely varying and 
open. They cannot be described as a public |$) being transformed in a closed system to 
another public |$b)- Indeed, for QBC there is in general a game-theoretic situation, where 
both parties can choose actions unknown to the other party. 



^Note that even if it is, an agent can cheat only if he controls Tt B2 in 
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Appendix C: protocol QBC4 



Here we fill in certain mathematical details on QBC4. We consider first the case when Babe 
asks no question on the evidence. 

Adam can guarantee concealing by using uniform probability 1/2"" 1 for each sequence of 
either parity. In that case, Po — pf factorizes into products of individual qubit parts. Let j = 
• • • Jn} e {0, 1}", P l0 = |0>(0|, P n = |0')(0'|, l 6 {1, . . . ,n}. Let A = {j| 0™ = i ji = 0}, 
Ai = {j| ®" = i 3l = 1} be the even- and odd-parity n-bit sets. Then 



1 n 

/'b^E®^ bG{o,i}, (c.i; 



2 n ~ J 

jeA b i=i 



and so 



Po ~ Pi = ^=T ® ( p io - Pn) ■ (C2) 
i=i 

Thus, Babe's optimum quantum decision reduces to optimally discriminating between |0) 
and |0') for each qubit individually, and then seeing whether there is an even or odd number 



of |0')'s. the optimum error probability p e for each qubit is well-known [f24| , |15 



1 1 



Pe=---^l-\W)\ 2 - (C3) 

The optimum error probability of correct bit decision on the sequence is, from the even 
and odd binomial sums, given by 

P c B = 1 - + \(l-2 Pe r. (C4) 

Thus Pf is close to 1/2 exponentially in n independently of 1/2 > p e > 0. 

After committing \$o), Adam can still try to cheat with the {|ej)} measurement by 
declaring one qubit to be in a state different from the actual one. the probability of success 
is = |(0|0')| 2 = ei, a design parameter of the protocol. It can be made e-concealing by 
choosing 

| (# £')|2 = €l < € (C.5) 
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and, from ( |C4| ), choosing n to satisfy 

(1 - ei ) n ° < 4e 2 . (C.6) 

When Adam presents the additional |i/)'s in So or other sets, Babe's density operator 
Pq is diagonal, similar to ( B.2 ), in the basis that diagonalizes each pair H.12 <8> K.\i- Her 



optimum decision reduces to optimally discriminating between the two density operators 
corresponding to %\ = and i\ = 1 for each of these n pairs, and then choosing the total 
resulting parity from the n decisions. Thus, P B is given by ( |C.4j ) with p e given by the 
optimum pair decision, which just yields a different function of e\ from (|C.3|) . For any fixed 
ei, P B can be made smaller than any e as in (|U.6|) with a large enough no. 

The following theorem characterizes Adam's optimal probability of cheating P A when 
|$o) °f © is used with resulting and F between them. 
Theorem 

F 2 < Pf < F. (C.7) 



The bounds ( |U.7| ) are identical to (21) for P C A in Ref. \W\. It can be seen from Appendix A, 
(6), and (18) of p| that actually P C A = P C A . 



The following theorem |15| is also used in Section y. 
Theorem (local state invariance). Let p AB be a state on TC A ®1~L B with p B = tiAp AB ■ The 
state p B remains invariant under any quantum operation on TC A alone. 
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Appendix D: physical limits and unconditional security 

In cryptography, a system is typcally called unconditionally secure if it cannot be broken 
with infinite computational power, i.e., its security is not based on computational complexity 
of any kind. In quantum cryptography, the system's security depends on the validity of the 
laws of quantum physics and not on the limits of computational power, so this security is 
unconditional. More broadly, one can say that in physical cryptography, the system's security 
is based on facts of our physical world which are immutable, and hence is unconditional also. 
Indeed, the laws of physics are part of the facts of Nature, which include both the laws and 
the initial conditions of the Universe that give rise to the world we live in. For example, we 
can exploit and utilize the background radiation from the sun or even the cosmos, because 
they are always there, not removable by any technological advance. Such physical limits 
are fundamentally different from ones that arise from computational complexity, quantum 
or classical. 

Similarly, there are facts of nature that impose physical limits on the possible number of 
qubits one may use in entanglement. What may be surprising is that the number so limited 
is small on just an exponential scale. By various estimates, the total number of elementary 
fermions in the world is <10 89 < 2 400 If E x is the energy range available with separation 



AE ~ h/ At, taking At to be the age of the Universe (< 2 40 sec), the total number of qubits 
available with energy E\ is 2 400 log <2 410 . For the boson electromagnetic field with total 
energy E 2 , the number of qubits available is At log from the bit capacity of a boson field 
26| . 27] . Taking r to be the Planck time 10~ 44 sec and E 2 the total electromagnetic radiation 



energy in the Universe p5|, this yields < 2 380 qubits. Thus, one can entangle no more than 
~ 2 410 binary possibilities. 
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